Docket No. RSW920010137US1 



PATENT 



IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 



In re application of: Bardsley et al. § 

§ Group Art Unit: 2137 
Serial No. 09/917,368 § 

§ Examiner: Popham, Jeffrey D. 
Filed: July 27, 2001 § 

§ 

For: Correlating Network Information § 
and Intrusion Information to Find the § 
Entry Point of an Attack Upon a 
Protected Computer 



Commissioner for Patents o n qa c 

P.O. Box 1450 J/y^D 
Alexandria, VA 22313-1450 



APPEAL BRIEF (37 C.F.R 41.37) 

This brief is in furtherance of the Notice of Reinstatement of Appeal, filed in this case on 
September 12, 2007. 

No fees are believed to be required. If, however, any fees are required, I authorize the 
Commissioner to charge these fees which may be required to IBM Corporation Deposit Account 
No. 09-0457. No extension of time is believed to be necessary. If, however, an extension of 
time is required, the extension is requested, and I authorize the Commissioner to charge any fees 
for this extension to IBM Corporation Deposit Account No. 09-0457. 
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REAL PARTY IN INTEREST 



The real party in interest in this appeal is the following party: International Business 
Machines Corporation of Armonk, New York. 
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RELATED APPEALS AND INTERFERENCES 

With respect to other appeals or interferences that will directly affect, or be directly affected 
by, or have a bearing on the Board's decision in the pending appeal, there are no such appeals or 
interferences. 
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STATUS OF CLAIMS 



A. TOTAL NUMBER OF CLAIMS IN APPLICATION 

Claims in the application are: 5-1 1 and 15-27. 

B. STATUS OF ALL THE CLAIMS IN APPLICATION 

Claims canceled: 1-4 and 12-14. 

Claims withdrawn from consideration but not canceled: None. 

Claims pending: 5-11 and 15-27. 

Claims allowed: None. 

Claims rejected: 5-11 and 15-27. 

Claims objected to: None. 

C. CLAIMS ON APPEAL 

The claims on appeal are: 5-11 and 15-27. 
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STATUS OF AMENDMENTS 

No amendments were filed after the office action of June 12, 2007. 
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SUMMARY OF CLAIMED SUBJECT MATTER 



A. CLAIM 5 - INDEPENDENT 

The subject matter of claim 5 deals with identifying the entry point of an attack upon a 
device protected by an intrusion detection system. See Specification, p. 1, 11. 4-6 and Figure 5. 

The method of claim 5 includes the steps of obtaining intrusion information, from an 
intrusion detection system, regarding an attack upon a device protected by the intrusion detection 
system (Specification, p. 8, 11. 3-10; and Figure 2, reference numeral 200), obtaining network 
information, from network equipment connected to the device, regarding the attack (Specification, 
p. 8, 1. 18 through p. 9., 1. 10; and Figure 3, reference numeral 300), determining a logical entry 
point of the attack using a correlation engine to correlate the intrusion information and the network 
information (Specification, p. 6, 1. 14 though p. 7, 1. 2) and identifying a physical entry point 
associated with the logical entry point (Specification, p. 1 1, 11. 7-10; and Figure 5, reference 
numeral 530). 

B. CLAIM 21 - INDEPENDENT 

The subject matter of claim 21 deals with a computer-implemented method of identifying 
the entry point of an attack upon a device protected by an intrusion detection system, wherein the 
device is one of a plurality of devices connected by a network. See the specification, p. 1, 11. 4-6; 
specification p. 7, 11. 3-10; and Figure 5. 

The method includes the computer-implemented steps of detecting an attack on the device 
(Specification, p. 7, 11. 3-10), notifying a correlation engine of the attack on the device 
(Specification, p. 10, 11. 6-12; and Figure 5, reference numeral 505), obtaining intrusion information 
regarding the attack (Specification, p. 8, 11. 3-10; and Figure 2, reference numeral 200), obtaining 
network information regarding the attack (Specification, p. 8, 1. 18 through p. 9., 1. 10; and Figure 3, 
reference numeral 300), using the correlation engine, correlating the intrusion information and the 
network information to produce correlation information (Specification, p. 6, 1. 14 though p. 7, 1. 2), 
using the correlation information, finding on the network a logical port of connection used by the 
attack (Specification, p. 6, 1. 14 though p. 7, 1. 2), and mapping the logical port on the network to a 
physical port on the network using the correlation engine (Specification, p. 1 1, 11. 7-10; p. 9, 11. 15- 
20; and Figure 5, reference numeral 530). 



(Appeal Brief Page 6 of 42) 
Bardsley et al. - 09/917,368 



C. CLAIM 25 - INDEPENDENT 

The subject matter of claim 25 deals with an apparatus for detecting a point of an attack on 
a network. See the specification, p. 1, 11. 4-6; specification p. 7, 11. 3-10; and Figure 5. 

The apparatus includes network equipment for connecting a protected device to a network 
(Specification, p. 7, 1. 11 through p. 8, 1. 2; and Figure 1, reference numeral 1 10), an intrusion 
detection system comprising intrusion detection equipment (Specification, p. 7, 11. 3-10), a 
correlation engine (Specification, p. 7, 11. 15-20; and Figure 1, reference numeral 140) adapted to 
receive a notification of an attack on the protected device (Specification, p. 10, 11. 6-12; and Figure 
5, reference numeral 505), receive intrusion information regarding the attack (Specification, p. 8, 11. 
3-10; and Figure 2, reference numeral 200), and receive network information regarding the attack, 
wherein the network information pertains to the network (Specification, p. 8, 1. 18 through p. 9., 1. 
10; and Figure 3, reference numeral 300), correlate the intrusion information and the network 
information to produce correlation information (Specification, p. 6, 1. 14 though p. 7, 1. 2), use the 
correlation information to find on the network a logical port of connection used by the attack 
(Specification, p. 6, 1. 14 though p. 7, 1. 2), and map the logical port on the network to a physical 
port on the network using the correlation engine (Specification, p. 1 1, 11. 7-10; p. 9, 11. 15-20; and 
Figure 5, reference numeral 530). 

D. CLAIM 26 - DEPENDENT 

The subject matter of claim 26 is directed to the apparatus of claim 25 further comprising a 
means for alerting a network manager to the location of the logical port and of the physical port 
(Specification, p. 11, 11. 10-18; and Figure 1, reference numeral 140). 
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GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 



The grounds of rejection to review on appeal are as follows: 

A GROUND OF REJECTION 1 

Whether claims 5-10, 15, and 18-20 are not anticipated under 35 U.S.C. §102 by Ricciulli, 
Method of Maintaining Lists of Network Characteristics , U.S. Patent 6,973,040 (December 6, 
2005). 

B. GROUND OF REJECTION 2 

Whether the Examiner failed to state a prima facie obviousness rejection of claims 11, 17, 
and 21-27 under 35 U.S.C. §103 over Ricciulli in view of Skirmont et al, Method and Apparatus 
for Load Apportionment Among Physical Interfaces in Data Routers , U.S. Patent 6,553,005 (April 
22, 2003). 

C GROUND OF REJECTION 3 

Whether the Examiner failed to state a prima facie obviousness rejection of claim 16 under 
35 U.S.C. §103 over Ricciulli in view of Hunt et al, Network Dispatcher: A Connection Router for 
Scalable Internet Services . IBM Almaden Research Center, San Jose, CA, available at 
unizh.ch/home/mazzo/reports/www7conf/ fullpapers/1899/coml899.htm. 
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ARGUMENT 



A. GROUND OF REJECTION 1 (Claims 5-11, 15, and 18-27) 

The Examiner rejected claims 5-1 1, 15, and 18-27 under 35 U.S.C. §102 as anticipated by 
Ricciulli. This rejection is manifestly incorrect, as shown below. 

A.l. Claims 5-11, 15, 18-20, 24, and 27 
A.1.L Response to Rejection 

Claim 5 is a representative claim in this grouping of claims. Claim 5 is as follows: 

5. A computer-implemented method of identifying the entry point of an 
attack upon a device protected by an intrusion detection system, the method 
comprising the steps of: 

obtaining intrusion information, from an intrusion detection system, 
regarding an attack upon a device protected by the intrusion detection 
system; 

obtaining network information, from network equipment connected 
to the device, regarding the attack; 

determining a logical entry point of the attack using a correlation 
engine to correlate the intrusion information and the network information; 
and 

identifying a physical entry point associated with the logical entry 

point. 

Applicants first address the base rejection of claim 5. Applicants then rebut the Examiner's 

assertions made in the response to argument section of the final office action of June 27, 2006. In 

rejecting claim 5, the Examiner states in the current office action of June 12, 2007 that: 

3. Claims 5-10, 15, and 18-20 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Ricciulli (U.S. Patent 6,973,040). 

Regarding Claim 5, 

Ricciulli discloses a computer-implemented method of identifying 
the entry point of an attack upon a device protected by an intrusion 
detection system, the method comprising the steps of: 

Obtaining intrusion information, from an intrusion detection system, 
regarding an attack upon a device protected by the intrusion 
detection system (Column 3, lines 16-33); 
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Obtaining network information, from network equipment connected 
to the device, regarding the attack (Column 4, line 45 to Column 5, 
line 2); 

Determining a logical entry point (IP addresses, as well as TCPIUDP 
ports are logical representations used in combination to identify the 
entry point) of the attack using a correlation engine to correlate the 
intrusion information and the network information (Column 3, lines 
16-43; and Column 4, line 45 to Column 5, line 2); and 

Identifying a physical entry point (the physical entry point is where 
the router or node actually connects to the network, on it's network 
interface) associated with the logical entry point (Column 3, lines 
34-43). 

Office action of June 12, 2007, pp. 3-4. 

A prior art reference anticipates the claimed invention under 35 U.S. C. § 102 only if every 
element of a claimed invention is identically shown in that single reference, arranged as they are in 
the claims. In re Bond, 910 F.2d 831, 832, 15 U.S.P.Q.2d 1566, 1567 (Fed. Cir. 1990). All 
limitations of the claimed invention must be considered when determining patentability. In re 
Lowry, 32 F.3d 1579, 1582, 32 U.S.P.Q.2d 1031, 1034 (Fed. Cir. 1994). Anticipation focuses on 
whether a claim reads on the product or process a prior art reference discloses, not on what the 
reference broadly teaches. Kalman v. Kimberly-Clark Corp., 713 F.2d 760, 218 U.S.P.Q. 781 (Fed. 
Cir. 1983). In this case, each and every feature of the presently claimed invention is not identically 
shown in the cited reference, arranged as they are in the claims. 

Ricciulli does not anticipate claim 5 because Ricciulli does not teach the claimed step of 
determining a logical entry point of the attack using a correlation engine to correlate the intrusion 
information and the network information. Additionally, Ricciulli does not anticipate claim 5 
because Ricciulli does not teach the claimed step of identifying a physical entry point associated 
with the logical entry point. The Examiner's assertions to the contrary are manifestly incorrect. 

Regarding the step of determining a logical entry point of attack, the Examiner asserts that 

two portions of Ricciulli teach this step. In the first portion cited by the Examiner, Ricciulli states: 

Various embodiments have routers with one or more lists of top-N more 
seen or most seen network characteristics, for example, destination 
addresses, in a small cache. This list can vary with time relatively slowly, for 
example, on the order of seconds for some embodiments. In some 
embodiments, the cache can have a number of instances of network 
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characteristics substantially equal to or greater than C/F, where C can be a 
total aggregate capacity of a router, and F can be a minimum sustained 
flooding rate to detect. For example, to detect a 1 MB/s flooding on a 1 GB/s 
router, a cache of 1000 instances may by adequate. In one embodiment, 
listed instances can include a destination address and an ingress port. 

When an attack, such as flooding, is detected, a message can be sent 
upstream by the attacked network node. For example, the message payload 
can contain a return address R, a network/host address H and/or a cookie 
generated by the attacked network node. 

In some embodiments, an upstream router can look up H to check for a 
match in one or more lists of the local cache. If a match results, the router 
can forward a message upstream to appropriate interfaces. This can repeat 
recursively with routers further upstream. 

In some embodiments, if an upstream router does not find H in the local 
cache, a report message can be sent to R with, for example, interface 
information of a downstream neighbor and the cookie. In some 
embodiments, this can be identified as an entry point of the attack, such as 
the flood. 

Ricciulli, col. 3, 11. 16-43 (emphasis supplied). 

This portion of Ricciulli manifestly does not teach the claimed step of determining a logical 
entry point of an attack using a correlation engine to correlate the intrusion information and the 
network information. Instead, this portion of Ricciulli indicates that a data packet can be sent from 
the target of the attack upstream by the attacked network node. The data packet includes a network 
host address generated by the attacked network node. If an upstream router does not find the host 
address in the local cache, then a report is sent back to the target of the attack. Thus, the physical 
router that did not have a host address in its cache is identified as the source of the attack. 

Ricciulli does not provide any teaching regarding logical entry points of attack, as claimed. 
Ricciulli does not provide any teaching regarding using a correlation engine to correlate intrusion 
information and network information to determine a logical entry point of an attack, as claimed. 
Instead, Ricciulli teaches finding a physical entry point of the attack - the router lacking a host 
address in a cache - by sending a data packet from the target to that router. Nowhere does Ricciulli 
teach that a logical point of attack is determined using a correlation engine as in claim 5. Ricciulli 
does not even discuss logical entry points, except in the context of UDP ports and TCP ports being 
the type of information that can be compared in Ricciulli' s lists in order to identify which physical 
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router is the point of attack. 

The Examiner appears to assert that Ricciulli does teach something regarding logical entry 
points of attack. However, the Examiner's assertions regarding IP addresses being logical 
"representations" is wholly irrelevant to the claimed invention as recited in claim 5. 

Specifically, the Examiner states that "IP addresses, as well as TCP/UDP ports are logical 
representations used in combination to identify the entry point." Office action of June 12, 2007, p. 
4. As a first matter, the Examiner has mischaracterized the claim language. The claim language 
requires "determining a logical entry point of the attack using a correlation engine to correlate the 
intrusion information and the network information." Whether or not IP addresses and TCP/UDP 
ports are logical entry points is irrelevant. What is relevant is determining a logical entry point of 
an attack. Nowhere does Ricciulli teach determining a logical entry point of an attack . As shown 
above, Ricciulli teaches finding ^ physical router that is the source of an attack - not a logical entry 
point of an attack. 

Nevertheless, the Examiner asserts that the following text, in combination with the 

previously cited text, teaches the determining step as claimed: 

FIG. 3 shows a flowchart 300 of an aspect of some embodiments for 
maintaining one or more lists of one or more network characteristics. 
Various embodiments can alter, add to, delete from, and/or reorder elements 
of the flowchart 300. In 310, messages can be prevented from transiting the 
first network node. One embodiment prevents by filtering. Some 
embodiments prevent, responsive to receiving a message from an attacked 
network node. The attacked network node may have received a flooding 
attack and/or a denial of service attack. Such messages can have suspicious 
instances of network characteristics of lists. The suspicious instances can be 
associated with attacks on attacked network nodes. In 315, suspicious 
instances can be compared with repeatedly updated lists. If the compare 
fails to result in a match, prevention can be halted. One embodiment of 
halting the preventing can include removing the filter. In 320, lists can be 
repeatedly updated. Instances having low frequency of occurrences can be 
removed from lists. In various embodiments, the updating can occur at the 
second network node 140 an/or a third network node. 

There are many possible network characteristics that can be matched in 
3150. For example, IP source addresses 330, destination IP addresses 335, 
source TCP ports 340, source UDP ports 345, destination TCP ports 350, 
destination UDP ports 355, TCP flags 360, and/or ICMP flags 365. 

Ricciulli, col. 4, 1. 45 through col. 5, 1. 2 (emphasis supplied). 
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This portion of Ricciulli does not teach the step of determining a logical entry point of 
attack, either alone or together with the previously cited text. This portion of Ricciulli teaches 
comparing suspicious data packets with repeated updated lists. If some aspect of the data packet 
matches one or more aspects contained in the list, then a suspicious data packet is confirmed to be a 
data packet associated with an attack. In this case, the source or host of the attack is prevented from 
sending further data packets to the server. If a suspicious data packet is not associated with an 
attack, then communication from the source or host is allowed. 

However, Ricciulli never teaches determining a logical entry point of an attack using a 
correlation engine, as in claim 5. Although information in data packets is compared to information 
contained in lists, no comparison is made to determine a logical entry point of the attack. Instead, 
the comparison is made to determine whether a host or source should be blocked from sending 
further data packets. As described above, the host or source is detected by sending a search data 
packet upstream in the network to determine which physical router does not have a host address in a 
cache. That physical router is the source of the attack. Thus, Ricciulli does not teach the 
determining a logical entry point of attack, as claimed. 

Additionally, Ricciulli does not teach "identifying a physical entry point associated with the 

logical entry point," as claimed in claim 5. The Examiner asserts otherwise, citing the following 

portion of Ricciulli for support: 

In some embodiments, an upstream router can look up H to check for a 
match in one or more lists of the local cache. If a match results, the router 
can forward a message upstream to appropriate interfaces. This can repeat 
recursively with routers further upstream. 

In some embodiments, if an upstream router does not find H in the local 
cache, a report message can be sent to R with, for example, interface 
information of a downstream neighbor and the cookie. In some 
embodiments, this can be identified as an entry point of the attack, such as 
the flood. 

Ricciulli, col. 3, 11. 34-43. 

Again, the above-cited text teaches identifying a physical router as the source of attack. 
Ricciulli does not mention identifying the logical entry point of attack and does not teach 
identifying a physical entry point associated with the logical entry point of the attack. The 
examiner's assertions to the contrary are plainly wrong. 
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Nevertheless, the Examiner also states that, "the physical entry point is where the router or 
node actually connects to the network, on its network interface." The Examiner's statement is 
irrelevant, whether or not the statement is correct. As Ricciulli points out, a physical router is 
identified as the source of an attack. At no point does Ricciulli identify a logical entry point of 
attack, as claimed. 

As shown above, Ricciulli does not teach either the "determining" step or the "identifying" 
step of claim 5. Accordingly, Ricciulli does not anticipate claim 5. 



A.l.ii. Rebuttal to Examiner's Response 

In a prior office action, the Examiner stated that: 

A network node will detect an attack, thereby obtaining the IP address of an 
attacking host. This node will then send data to another router, the data 
including a return address, the attacking host's address, a cookie, a 
certificate, etc. The packet sent upstream to the current router contains a 
return IP address for the next downstream router. The current router will 
then check if the attacking host's information (address, ports, etc.) is within 
a table. If this information is not in the table, the current router will send a 
report message to the original network node, said report message comprising 
interface information of the downstream router, as well as the cookie. It is 
clear from this that the current router is sent the IP address of the 
downstream router, correlates network and intrusion information to 
determine whether the current router has seen the pertinent traffic and, if not, 
the current router determines that the downstream router's IP address (along 
with other logical information, such as a logical port) is a logical entry point 
and creates a message including the physical entry point (interface on the 
downstream router) to send to the original network node. 

Final office action of June 27, 2006, pp. 2-3. 

The Examiner's response belies the Examiner's misunderstanding of Ricciulli and of the 
claims. The Examiner's fundamental error is in the Examiner's assertion that that Ricciulli 
determines a logical entry point of attack, as shown above and as proven again below. However, 
for the sake of Argument, even if the Examiner's invalid assertions were correct, Ricciulli still fails 
to anticipate claim 5. 

In particular, the Applicants assume, arguendo, that the following statement by the 
Examiner regarding Ricciulli is correct, "the current router determines that the downstream router's 
IP address (along with other logical information, such as a logical port) is a logical entry point." 
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Thus, Applicants assume, arguendo, that an IP address is a logical entry point (which it is not, as 
proven by the Symantec and Apple articles presented below). 

The reason why the Examiner's arguments fall apart is that Ricciulli "detects" the IP address 
(or UDP port or TCP port information) in packets passing through routers and then compares that 
information to information contained in the lists in the router to determine if the router is the source 
of the attack. For this reason, Ricciulli does not determine a logical entry point of attack using a 
correlation engine to correlate the intrusion information and the network information, as in claim 
5. At most, again arguendo, Ricciulli teaches using a correlation engine to correlate the logical 
entry point (the IP address) and other information to determine the physical router as the point of 
attack. Therefore, assuming arguendo that the IP address is a logical entry point, Ricciulli "detects" 
the logical entry point of attack and then uses that information elsewhere. Ricciulli does not 
determine a logical entry point using a correlation engine, as claimed. 

For example, see claims 14 and 15 of Ricciulli as examples of this technique: 

1 . A method of maintaining one or more lists of one or more network 
characteristics of a plurality of messages traveling near at least a first 
network node coupled to at least a first packet network, comprising: 

detecting the plurality of messages traveling near at least the first 
network node coupled to at least the first packet network, wherein each of 
the plurality of messages comprises one or more network characteristics; 
and 

updating the one or more lists of the one or more network 
characteristics of the plurality of messages, such that the one or more lists 
comprise instances of the one or more network characteristics based on at 
least a frequency of occurrences of the instances. 



13. The method of claim 1, wherein the one or more network 
characteristics comprise one or more source ports . 

14. The method of claim 13, wherein the one or more source ports comprise 
one or more Transmission Control Protocol ports. 

15. The method of claim 13, wherein the one or more source ports comprise 
one or more User Datagram Protocol ports. 

Ricciulli, col. 5, 11. 39-52 and col. 6, 11. 13-20 (emphasis supplied). 
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Thus, Ricciulli simply "picks out" the network characteristic from an information packet. 
The network characteristic could be a logical entry point in the form of a TCP port or UDP port. 
Ricciulli uses this information to compare to maintained lists, as recited in Ricciulli' s claim 1 . The 
rest of Ricciulli' s disclosure, as quoted above, is consistent with Ricciulli' s claim 1. This 
mechanism of comparing logical entry points associated with packets passing through routers is not 
the same as the determination of a logical entry point of an attack using a correlation engine, as in 
claim 5. Therefore, Ricciulli does not anticipate claim 5, even if the Examiner's incorrect 
assertions regarding the nature of logical entry points were correct. 

However, the Examiner's assertion that Ricciulli teaches determination of a logical entry 
point of attack is manifestly incorrect. Ricciulli determines the physical entry point of an attack as 
follows: 

When an attack, such as flooding, is detected, a message can be sent 
upstream by the attacked network node. For example, the message payload 
can contain a return address R, a network/host address H and/or a cookie 
generated by the attacked network node. 

In some embodiments, an upstream router can look up H to check for a 
match in one or more lists of the local cache. If a match results, the router 
can forward a message upstream to appropriate interfaces. This can repeat 
recursively with routers further upstream. 

In some embodiments, if an upstream router does not find H in the local 
cache, a report message can be sent to R with, for example, interface 
information of a downstream neighbor and the cookie. In some 
embodiments, this can be identified as an entry point of the attack, such as 
the flood. 

Ricciulli, col. 3, 11. 29-43 (quoted above, but repeated here for ease of reference). 

Again, Ricciulli teaches that a network/host address identified in an attack packet can be 
compared to a list of addresses in a router. If a match exists, then a message is sent to the next 
router upstream, whereupon the procedure repeats. Ultimately, when a final router does not find the 
host address in its local cache, the final router sends a message to the return address in order to 
identify the final router as the entry point of the attack. 

Therefore, Ricciulli compares addresses to identify a physical router as a source of attack. 
The Examiner's assertion that Ricciulli determines a UDP port address or TCP port address as the 
source of the attack is incorrect. Instead, Ricciulli uses UDP port addresses or TCP port addresses 
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identified in packets passing through routers as information to compare to the lists contained in the 

physical router to identify the physical router that is under attack. Thus, Ricciulli does not 

determine a logical entry point of an attack using a correlation engine to correlate the intrusion 

information and the network information, as claimed. 

Additionally, the Examiner's assertion that Ricciulli determines the logical entry point of an 

attack is incorrect. The Examiner misunderstands what a logical entry point is. A logical entry 

point is a virtual "port " maintained by a computer 's operating system. The virtual port is used to 

access a network. One of ordinary skill would interpret the claimed term "logical entry point" in 

this light. For example, the Board is invited to review the following article provided by a major 

networking security company, Symantec, which produces Norton Antivirus® software: In that 

article, Symantec describes a logical entry point as follows: 

Port: Logical entry point of a network to your operating system. The 
operating system has 65,535 logical entry points that can be used by 
applications to communicate with the outside. Some are "opened" when 
requested during an outgoing connection, for example, whereas others can 
remain open permanently to accept connections coming from the outside. 

symantec.com/en/aa/home_homeoffice/library/article.jsp?aid=evaluating_security (emphasis in 
original). 

Thus, an Internet address is not a logical entry point, as asserted by the Examiner. An 
Internet address is simply a means of identifying a computer, in much the same way a street address 
identifies a house. 

However, UDP ports or TCP/IP ports are logical entry points. UDP ports and TCP/TP ports 

are ports maintained by an operating system as logical entry points to the operating system. See 

also the following article published by Apple Corporation: 

You may not be aware of IP ports very often, but you probably use them 
every day. Servers often deliver more than one type of service, so using the 
Internet address (URL) of a server is not enough - you must also tell the 
server what you want. These requests are made by "port" number. Web 
service (HTTP) is commonly delivered on port 80, for example. Web 
browsers are programmed to assume that you want port 80 when you type a 
URL, such as "www.apple.com". That is why you do not need to be aware of 
which port you are using for most Web browsing. 
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Sometimes you need to type a port number when connecting to a service. 
Whether you must depends on what client software you are using, the 
service, and how the server is set up. 

IP stands for "Internet protocol," which can be subdivided into port types 
such as TCP and UDP. For more on these ports, see "Well-Known" TCP 
and UDP ports used by Apple software products. 

docs.info.apple.corn/article.html?artnum=106770. 

Although Ricciulli does mention UDP ports and TCP ports, Ricciulli does so only in the 
context of identifying types of information that can be pulled from packets passing through the 
router and then used to compare to information stored in RicciullVs lists. For example, Ricciulli 
provides that: 

There are many possible network characteristics that can be updated in 220. 
For example, IP source addresses 230, destination IP addresses 235, source 
TCP ports 240, source UDP ports 245, destination TCP ports 250, 
destination UDP ports 255, TCP flags 260, and/or ICMP flags 265. 

Ricciulli, col. 4, 11. 40-44. 

Thus, although Ricciulli does identify and compare UDP port and TCP port information in 
individual packets, Ricciulli does not identify which of the UDP ports and TCP ports are the 
logical entry points of attack , as required by claim 5. Certainly, Ricciulli does not determine the 
logical entry point of attack (UDP port or TCP port) using a correlation engine, as claimed, 
because Ricciulli draws UDP or TCP port information only from packets passing through routers. 
Additionally, Ricciulli does not correlate the logical entry point of attack to a physical point, as 
claimed, because Ricciulli does not determine the logical entry point of attack in the first place. 

Therefore, Ricciulli does not teach all of the features of claim 5. Accordingly, Ricciulli does 
not anticipate claim 5. 

Applicants now address the Examiner's next incorrect argument. The Examiner states that: 

It is clear form the above that Ricciulli teaches determining a logical entry 
point of an attack using a correlation engine to correlate the intrusion 
information with the network information. However, in the sake of clarity, 
another embodiment of Ricciulli discloses that the current router will receive 
a message from a downstream router, as stated above. The current router 
will then correlate the network information and intrusion information via 
tables. If it is found that the current router has been receiving attack traffic, 
by finding logical information pertaining to the attack within the tables, such 
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as IP source addresses, destination IP addresses, source TCP ports, source 
UDP ports, destination TCP ports, and destination UDP ports, it will attempt 
to send the message upstream to another router. If it is determined that the 
upstream router does not implement the system, the current router will 
identify itself as the physical entry point and send a message indicating such 
to the original network node. The logical entry point can be one of many, 
such as the source IP address, source IP address/source TCP port combo, or 
any other logical point of entrance through which packets corresponding to 
an attack travel. Once this logical entry point has been determined by the 
correlation step, the current router will identify itself as the physical entry 
point associated with the logical entry point (or logical entry points, since 
there could be more than one, as explained above). 

Final office action of June 27, 2006, p. 3. 

Again, the Examiner's incorrect statements are based on a flawed reading of Ricciulli. As 

shown above, Ricciulli does not determine the logical entry point of an attack at all. In another 

example, in reference to Ricciulli 's Figure 2, Ricciulli states that: 

In 2 1 0, messages traveling a first packet network can be detected. The 
messages can have network characteristics. In 220, lists of network 
characteristics of messages can be updated, so that lists have instances of 
network characteristics based on frequency of occurrences of instances. The 
lists can have a group of more or most frequently occurring instances of the 
network characteristics. The frequency of occurrences can include a number 
of occurrences in an amount of time. In one embodiment, a number of 
instances in each of the lists can be substantially equal to or greater than a 
quotient. The quotient can include a capacity rate of a router (for example, 
first network node 1 10) divided by a threshold flooding rate. 

Ricciulli, col. 4, 11. 23-39. 

Thus, Ricciulli detects network characteristics in packets passing through or near routers. 
The network characteristics can be logical entry points, such as UDP ports or TCP ports. However, 
Ricciulli directly detects these network characteristics and does not "determine a logical entry point 
of the attack using a correlation engine to correlate the intrusion information and the network 
information." Instead, Ricciulli uses the UDP and TCP port information contained in packets to 
determine the physical router that is the physical entry point of an attack. 

Applicants now address the Examiner's next argument. The Examiner states that: 

Applicant also argues that the Examiner indicate what IP addresses and 
TCP/UDP ports are logical representations of. Applicant further argues that 
using TCP/UDP ports are logical entry points is manifestly incorrect. An IP 
address is a logical representation of an address for a machine. TCP/UDP 
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ports are logical representations for ports on a machine. Throughout the 
specification, applicant discusses using logical ports as a possible entry point 
of an attack, thus the logical ports used as logical entry point within Ricciulli 
is manifestly correct. 

Final office action of June 27, 2006, pp. 3-4. 

Again, as shown above, Ricciulli does not determine which TCP ports and UDP ports are 
the entry points of attack. Instead, Ricciulli uses information regarding TCP ports and UDP ports 
contained in packets to determine the physical router being attacked. 

Applicants now address the Examiner's final argument. The Examiner states that: 

Applicant also argues that Ricciulli does not teach alerting a network 
manager to the location of the logical port and of the physical port. Since it 
has been described above how logical and physical addresses, machines, and 
ports can be entry points of an attack, and the cited section discloses 
notifying the relevant ISP or authorities (each being a network manager) 
about the attack, it is clear to see that the relevant information regarding the 
attack will be sent to the network managers. Also, as is clear form the 
specification, alerting a network manager comprises sending a message to a 
computer or system, so this manager need not be a person. Indeed, the 
specification does not teach alerting a human manager, only a management 
center (which is a computer/system). Since this is the case, other sections 
pertain to this claim as well, such as the sending of a report packet back to 
the original network node identifying the machine (location of the logical 
port), interface (physical port), and other information. 

Final office action of June 27, 2006, p. 4. 

Again, Ricciulli does not determine the logical entry point of an attack. Therefore, Ricciulli 
does not teach alerting a network manager to the location of the logical port of attack. 

Applicants have successfully rebutted all of the Examiner's arguments. As shown above, 
Ricciulli does not determine the logical entry point of an attack, as in claim 5. Ricciulli does not 
determine the logical entry point of an attack using a correlation engine, as in claim 5. Therefore, 
Ricciulli does not teach all of the features of claim 5. Accordingly, Ricciulli does not anticipate 
claim 5 or any other claim in this grouping of claims. 

B. GROUND OF REJECTION 2 (Claims 11, 17, and 21-27) 
B.l. Claims 11 and 21-27 

Claim 1 1 is a representative claim of this grouping of claims. Claim 11 is as follows: 
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1 1 . The computer-implemented method of claim 9, wherein the step of 
identifying a physical entry point includes the step of identifying a physical 
port associated with the logical port. 

Regarding the rejection of claim 1 1, the examiner states that: 

4. Claims 1 1 , 1 7, and 2 1 -27 are rejected under 35 U.S.C. 1 03(a) as 
being unpatentable over Ricciulli in view of Skirmont (U.S. Patent 
6,553,005). 

Regarding Claim 11, 

Ricciulli discloses that the step of identifying a physical entry point 
includes the step of identifying an interface associated with the 
logical port (Column 3, lines 34-43); but may not explicitly disclose 
identifying a physical port associated with the logical port. 

Skirmont, however, discloses identifying a physical port associated 
with the logical port and/or identifying a physical port associated 
with an interface (Column 4, line 66 to Column 5, line 67). It would 
have been obvious to one of ordinary skill in the art at the time of 
applicant's invention to incorporate the network device and mapping 
methods of Skirmont into the intrusion detection system of Ricciulli 
because such mapping is well known in the art and/or to maintain 
packet flows from a common source to a common destination to be 
routed along strict physical paths, thereby allowing for efficient 
detection and filtering of attacks, and/or to provide the system with 
efficient load balancing, thus protecting against packets being 
received out of order and consequently being lost/discarded. 

Office action of June 12, 2007, pp. 6-7. 

The Examiner bears the burden of establishing a prima facie case of obviousness based on 
prior art when rejecting claims under 35 U.S.C. § 103. In re Fritch, 972 F.2d 1260, 23 U.S.P.Q.2d 
1780 (Fed. Cir. 1992). The prior art reference (or references when combined) must teach or suggest 
all the claim limitations. In re Royka, 490 F.2d 981, 180 USPQ 580 (CCPA 1974). In determining 
obviousness, the scope and content of the prior art are. . . determined; differences between the prior 
art and the claims at issue are. . . ascertained; and the level of ordinary skill in the pertinent art 
resolved. Against this background the obviousness or non-obviousness of the subject matter is 
determined. Graham v. John Deere Co. , 383 U.S. 1 (1 966). "Often, it will be necessary for a court 
to look to interrelated teachings of multiple patents; the effects of demands known to the design 
community or present in the marketplace; and the background knowledge possessed by a person 
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having ordinary skill in the art, all in order to determine whether there was an apparent reason to 
combine the known elements in the fashion claimed by the patent at issue." KSR Int 7. Co. v. 
Tele/lex, Inc., No. 04-1350 (U.S. Apr. 30, 2007). "Rejections on obviousness grounds cannot be 
sustained by mere conclusory statements; instead, there must be some articulated reasoning with 
some rational underpinning to support the legal conclusion of obviousness. Id. (citing In re Kahn, 
441 F.3d 977, 988 (CAFed. 2006))." 

B.l.i. The Proposed Combination of References, Considered as a Whole, Does Not Teach or 
Sus2est the Features of the Claims 

In the case at hand, the examiner failed to state a prima facie obviousness rejection against 
the claims because the proposed combination of references, considered as a whole, does not teach 
or suggest the feature of, "determining a logical entry point of the attack using a correlation engine 
to correlate the intrusion information and the network information." This feature is incorporated 
into claim 1 1 at least by virtue of the dependence of claim 1 1 on claim 5. As proven above, 
Ricciulli does not teach or suggest this claimed feature. Additionally, Skirmont does not teach or 
suggest this claimed feature. As shown further below, Skirmont is related to routing techniques 
within a router; that is, routing packets outwardly from a router, as opposed to obtaining intrusion 
information into a router. 

Because neither reference teaches or suggests the feature of, "determining a logical entry 
point of the attack using a correlation engine to correlate the intrusion information and the network 
information," the proposed combination of references, considered as a whole, does not teach or 
suggest this claimed feature. Accordingly, under the standards of In re Bond, the examiner failed to 
state a prima facie obviousness rejection against claim 1 1 or any other claim in this grouping of 
claims. 

Additionally, contrary to the examiner's assertions, Skirmont does not teach or suggest the 
claimed features of claim 1 1 . The examiner believes that, "Skirmont, however, discloses 
identifying a physical port associated with the logical port and/or identifying a physical port 
associated with an interface." Office action of June 12, 2007, p. 6. However, again, the examiner 
has mischaracterized the claim language. Claim 1 1 provides that, ""wherein the step of identifying 
a physical entry point includes the step of identifying a physical port associated with the logical 
port." Thus, as in claim 1 1, the physical port is a physical entry point. In Skirmont, the physical 
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port in question is the egress point. For example, Skirmont provides that: 



FIG. 2 is a simplified flow diagram showing a first packet 23 being 
conducted to a physical egress port according to current art. Firstly, the 
system of router Rl notes the destination address, and consults a forwarding 
table. The forwarding table may have a number of logical destinations 
suitable for the destination address of this first packet. A process termed 
"longest prefix match" is typically used to select the most suitable first hop 
destination. In this case the table lookup indicates a first top destination for 
interface IF2. At step 27 the system of router Rl sends the packet to 
interface IF2. At this point the question of the correct physical egress port is 
still unanswered. One solution in the prior art is to do a second table lookup 
from a specialized table which relates to all of the physical ports associated 
with interface IF2. This operation is shown as step 29. As a result of the 
second lookup the packet is sent to the finally selected physical port. 

Skirmont, col. 4, 1. 66 through col. 5, 1. 15 (cited by the examiner as teaching the claim feature). 

In relevant part, Skirmont states that the flow of Figure 2 applies to conducting a packet to a 
physical egress point. Skirmont also states that the router notes a destination address and consults a 
forwarding table that may have a number of logical destinations suitable for the destination address. 
Thus, Skirmont teaches the opposite of what the examiner asserts Skirmont to teach; namely, the 
routing of packets to egress ports. 

Therefore, Skirmont does not teach what the examiner asserts Skirmont to teach. Hence, the 
proposed combination of references, considered as a whole, does not teach or suggest the features 
of claim 1 1 . Accordingly, the examiner failed to state a prima facie obviousness rejection against 
claim 1 1 or any other claim in this grouping of claims. 



B.l.ii. The Examiner Can Not Cite Skirmont Solely for the Proposition that Skirmont Teaches 
a Particular Technology without Considerins the Combination as a Whole 

Nevertheless, the examiner appears, possibly, to cite Skirmont solely for the proposition that 
mapping logical ports to physical ports is known. However, such an assertion would be 
fundamentally flawed, because the examiner is not permitted to simply identify technologies and 
then cobble together rejections based on asserted advantages. Instead, under the standards of KSR 
Int 7., the examiner is required to consider the references as a whole and then provide a rational 
underpinning to achieve the legal conclusion of obviousness. Additionally, "It is impermissible 
within the framework of §103 to pick and choose from any one reference only so much of it as will 



(Appeal Brief Page 23 of 42) 
Bardsley et al. - 09/917,368 



support a siven position, to the exclusion of other parts necessary to the full appreciation of what 
such reference fairly suggests to one of ordinary skill in the art. " In re Hedges, 228 U.S.P.Q. 685, 
687 (Fed. Cir. 1986) (emphasis supplied). Thus, the examiner is not permitted to "pick out" 
"finding logical points" from Skirmont and then assert the obviousness of the claims. Accordingly, 
the examiner failed to state a proper reason to achieve the legal conclusion of obviousness under the 
standards of KSR Int'l. 

B.l.iii. Skirmont Teaches Away from the Claims 

Furthermore, in the light that Ricciulli does not teach what the examiner asserts Ricciulli to 
teach, the teachings of Skirmont actually teach away from the invention of claim 1 1 . Claim 1 1 is 
directed towards finding the physical entry point of attack. Skirmont is directed towards rinding 
egress points. These two purposes are diametrically opposed. The references therefore cannot be 
combined in a logical fashion to achieve the legal conclusion of obviousness. Accordingly, the 
references, considered as a whole under the standards of KSR Int 7 . cannot be used to assert a 
prima facie obviousness rejection against claim 11. Hence, the examiner failed to state a prima 
facie obviousness rejection against claim 1 1 or any other claim in this grouping of claims. 

B.l.iv. The Examiner Failed To State a Proper Reason To Achieve the Legal Conclusion of 
Obviousness under the Standards of KSR Int'l. 

Additionally, the examiner failed to state a prima facie obviousness rejection against claim 
1 1 because the examiner failed to state a proper reason to achieve the legal conclusion of 
obviousness under the standards of KSR Int'l. Regarding a reason to combine the references, the 
examiner states that: 

because such mapping is well known in the art and/or to maintain 
packet flows from a common source to a common destination to be 
routed along strict physical paths, thereby allowing for efficient 
detection and filtering of attacks, and/or to provide the system with 
efficient load balancing, thus protecting against packets being 
received out of order and consequently being lost/discarded. 

Office action of June 12, 2007, pp. 6-7. 
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However, the examiner's statement does not satisfy the requirements of KSR Int 7. The 
Court in KSR Int 7. states that, "Often, it will be necessary for a court to look to interrelated 
teachings of multiple patents; the effects of demands known to the design community or present in 
the marketplace; and the background knowledge possessed by a person having ordinary skill in the 
art, all in order to determine whether there was an apparent reason to combine the known elements 
in the fashion claimed by the patent at issue." KSR Int'l. Co. v. Teleflex, Inc., No. 04-1350 (U.S. 
Apr. 30, 2007). "Rejections on obviousness grounds cannot be sustained by mere conclusory 
statements; instead, there must be some articulated reasoning with some rational underpinning to 
support the legal conclusion of obviousness. " Id. (citing In re Kahn, 441 F.3d 977, 988 (CA Fed. 
2006))." 

The examiner's statement provides no rational underpinning to support the legal 
conclusion of obviousness. The examiner only states a purported advantage to combine the 
references. However, the examiner does not provide any technical or other rational connection 
between the purported advantage and the legal conclusion of obviousness. Instead the examiner 
simply states the purported advantage and then assumes that the reader would recognize that the 
purported advantage would somehow compel the legal conclusion that claim 1 1 is obvious in view 
of the references. However, this assumption fails to comport with the requirements of KSR Int 'I 
that the examiner provide articulated reasoning with a rational underpinning to achieve the legal 
conclusion of obviousness in view of the references. Accordingly, under the standards of KSR 
Int'l., the examiner failed to state a prima facie obviousness rejection against claim 1 1 or any other 
claim in this grouping of claims. 

B.l.v. No Reason Exists to Achieve the Legal Conclusion of Obviousness in View oiRicciulli 
and Skirmont Because They Address Different Problems 

One of ordinary skill would not combine the references to achieve the invention of claim 1 1 
because the references are directed towards solving different problems. It is necessary to consider 
the reality of the circumstances—in other words, common sense—in deciding in which fields a 
person of ordinary skill would reasonably be expected to look for a solution to the problem facing 
the inventor. In re Oetiker, 977 F.2d 1443 (Fed. Cir. 1992); In re Wood, 599 F.2d 1032, 1036, 202 
U.S.P.Q. 171, 174 (CCPA 1979). In the case at hand, the cited references address distinct 
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problems. Thus, no common sense reason exists to establish that one of ordinary skill would 

reasonably be expected to look for a solution to the problem facing the inventor. Accordingly, no 

proper reason exists under KSR Int'l. to achieve the legal conclusion of obviousness in view of the 

references. Hence, the Examiner has failed to state a prima facie obviousness rejection of claim 1 1 . 

For example, Ricciulli is directed to solving the problem of detecting the router that is the 

physical entry point of a denial of service attack. On the other hand, Skirmont is directed to the 

problem of load apportionment among physical interfaces in data routers. For example, Skirmont 

provides as follows: 

In current art when a packet is received at a router the packets headers are 
read and typically a forwarding table is consulted to determine the next hop 
for the packet. This next hop table contains, among other things, the identity 
of the egress interface to be used and how to send the packet internally to 
that location. A problem in current art is that the egress interface may well 
be a defined interface comprising several actual physical egress ports. The 
problem then is one of determining which of the actual physical egress ports 
to use. One solution is to simply do another software table lookup. This is 
not difficult for software based routing elements, but is less than ideal for a 
high-speed hardware based solution where memory space and ASIC pins 
may well be limited. 

What is clearly needed for the new generation of very high-speed and more 
sophisticated routers is a method and system for mapping IP packets that 
have common source and destination by strict physical paths, while at the 
same time accomplishing efficient load balancing along the same physical 
paths. 

Skirmont, col. 2, 11. 6-25. 

Based on the plain disclosures of the references themselves, the references address 
completely distinct problems that are unrelated to each other. The problem of detecting the router 
that is the physical entry point of a denial of service attack is completely distinct from the problem 
of load apportionment among physical interfaces in data routers. Still more starkly, Skirmont is 
directed towards finding egress points, whereas Ricciulli is directed towards finding ingress routers. 

Because the references address completely distinct problems, and because Skirmont actually 
teaches away from the claims, one of ordinary skill would have no reason to combine or otherwise 
modify the references to achieve the legal conclusion of obviousness regarding claim 1 1 in view of 
the references considered as a whole. Thus, under the standards of KSR Int 'I., the examiner failed 
to state a proper reason to achieve the legal conclusion of obviousness. Accordingly, the Examiner 
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has failed to state a prima facie obviousness rejection against claim 1 1 or any other claim in this 
grouping of claims. 

B.l.vi. The Examiner Used Impermissible Hindsight When Combining the References 

The Examiner failed to state a prima facie obviousness rejection because the Examiner used 
impermissible hindsight when fashioning the rejections. "It is impermissible within the framework 
of §103 to pick and choose from any one reference only so much of it as will support a given 
position, to the exclusion of other parts necessary to the full appreciation of what such reference 
fairly suggests to one of ordinary skill in the art." In re Hedges, 228 U.S.P.Q. 685, 687 (Fed. Cir. 
1986). Additionally, personal opinion cannot be substituted for what the prior art teaches because a 
prima facie case of obviousness is established when the teachings of the prior art itself suggest the 
claimed subject matter to a person of ordinary skill in the art. In re Bell, 99 1 F.2d 781 , 783, 26 
U.S.P.Q.2d 1529, 1531 (Fed. Cir. 1993). In viewing the references as a whole, one of ordinary skill 
would look to the problems addressed by the references in determining whether to combine the 
references. 

In the case at hand, the examiner only picked a tiny, isolated disclosure from Skirmont and 
attempted to combine that disclosure with Ricciulli without asserting any reason to achieve the 
legal conclusion of obviousness. Additionally, the Examiner provided no reason why one of 
ordinary skill would recognize the proposed advantage. Moreover, the Examiner has provided no 
reason why one of ordinary skill would, without a-priori knowledge, think to use load balancers in 
the rest of the claimed invention. Instead, the Examiner only provided a hypothetical advantage to 
combining the references as a "band aid" to cobble together the rejection. 

Given the stark misalignment between the references, the Examiner clearly searched the 
prior art for the term "load balancer," found a reference, and then tried to glue the references 
together to achieve the invention of claim 1 1 without regard to the fact that one of ordinary skill 
would have no reason to look to combine the references in the first place. The Examiner may not 
"pick and choose" features in the prior art and then combine them together in this manner. In re 
Hedges. The Examiner's attempt to do so is impermissible hindsight under the standards of In re 
Hedges. Accordingly, the Examiner has failed to state a prima facie obviousness rejection against 
claim 1 1 or any other claim in this grouping of claims. 
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B.2. Claim 17 

Claim 17 is as follows: 

1 7 . The computer-implemented method of claim 5 , wherein the network 
equipment includes a load balancer. 

Regarding claim 17, the Examiner states that: 

Ricciulli does not disclose that the network equipment includes a load 
balancer. 



Skirmont, however, discloses that the network equipment includes a load 
balancer (Column 5, lines 52-67). It would have been obvious to one of 
ordinary skill in the art at the time of applicant's invention to incorporate the 
load balancing system of Skirmont in the intrusion detection system of 
Ricciulli in order to map packets that have a common source and destination 
by strict physical paths, while at the same time accomplishing efficient load 
balancing along the same physical paths, thus protecting packets being 
received out of order, and consequently being lost/discarded (Column 1, 
lines 41-64; and Column 2, lines 20-50). 

Final office action of June 27, 2006, p. 1 1. 



B.2.L The Proposed Combination Does Not Teach or Suggest All of the Features of Claim 1 7 

The Examiner has failed to state a prima facie obviousness rejection because the proposed 
combination, when considered as a whole, does not teach or suggest all of the features of claim 17. 
Claim 17 depends from claim 5. As shown above, Ricciulli does not teach all of the features of 
claim 5. Ricciulli is devoid of disclosure regarding determination of logical entry points of attack 
and is devoid of disclosure regarding use of correlation engines to determine logical entry points of 
attack. Therefore, Ricciulli does not suggest these claimed features. 

Skirmont also does not teach the claimed features not shown in Ricciulli. Skirmont is 
directed towards load balancing among physical routers and towards determining egress points of a 
router. Skirmont is devoid of disclosure regarding determination of logical entry points of attack 
and is devoid of disclosure regarding use of correlation engines to determine logical entry points of 
attack. Therefore, Skirmont also does not suggest these claimed features. 

Because both Ricciulli and Skirmont do not teach or suggest the features of claim 17, the 
proposed combination when considered as a whole does not teach or suggest the features of claim 
1 7. Accordingly, under the standards of In re Royka, the Examiner has failed to state a prima facie 
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obviousness rejection. 

B.2.H The Examiner Failed To State a Proper Reason To Achieve the Lesal Conclusion of 
Obviousness under the Standards ofKSR Int'l. 

Additionally, the examiner failed to state a prima facie obviousness rejection against claim 
1 7 because the examiner failed to state a proper reason to achieve the legal conclusion of 
obviousness under the standards of KSR Int 7. Regarding a reason to combine the references, the 
examiner states that: 

because such mapping is well known in the art and/or to maintain packet 
flows from a common source to a common destination to be routed along 
strict physical paths, thereby allowing for efficient detection and filtering of 
attacks, and/or to provide the system with efficient load balancing, thus 
protecting against packets being received out of order and consequently 
being lost/discarded. 

Office action of June 12, 2007, p. 7. 

However, the examiner's statement does not satisfy the requirements of KSR Int 7. The 
Court in KSR Int 7. states that, "Often, it will be necessary for a court to look to interrelated 
teachings of multiple patents; the effects of demands known to the design community or present in 
the marketplace; and the background knowledge possessed by a person having ordinary skill in the 
art, all in order to determine whether there was an apparent reason to combine the known elements 
in the fashion claimed by the patent at issue." KSR Int'l. Co. v. Tele/lex, Inc., No. 04-1350 (U.S. 
Apr. 30, 2007). "Rejections on obviousness grounds cannot be sustained by mere conclusory 
statements; instead, there must be some articulated reasoning with some rational underpinning to 
support the legal conclusion of obviousness. " Id. (citing In re Kahn, 441 F.3d 977, 988 (CA Fed. 
2006))." 

The examiner's statement provides no rational underpinning to support the lesal 
conclusion of obviousness. The examiner only states a purported advantage to combine the 
references. However, the examiner does not provide any technical or other rational connection 
between the purported advantage and the legal conclusion of obviousness. Instead the examiner 
simply states the purported advantage and then assumes that the reader would recognize that the 
purported advantage would somehow compel the legal conclusion that claim 17 is obvious in view 
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of the references. However, this assumption fails to comport with the requirements of KSR Int 7 
that the examiner provide articulated reasoning with a rational underpinning to achieve the legal 
conclusion of obviousness in view of the references. Accordingly, under the standards of KSR 
Int 7., the examiner failed to state a prima facie obviousness rejection against claim 17 or any other 
claim in this grouping of claims. 

B. 2.iii. Remaining Flaws in the Rejection of Claim 17 

The facts and arguments presented in sections B. 1 .ii. (the examiner picking and choosing 
features), B.l.iii. (teaching away), B.l.v. (different problems), and B.l.vi. (use of impermissible 
hindsight) apply with equal force to the rejection of claim 17. Accordingly, for similar reasons, the 
examiner failed to state a prima facie obviousness rejection against claim 17. 

C. GROUND OF REJECTION 3 (Claim 16) 

Claim 1 6 is as follows: 

1 6. The computer-implemented method of claim 5, wherein the network 
equipment includes a network dispatcher. 

Regarding claim 16, the Examiner states that: 

Ricciulli does not disclose that the network equipment includes a network 
dispatcher. 

ND, however, discloses that the network equipment includes a network 
dispatcher (Pages 1-2, Introduction, Paragraphs 1-4). It would have been 
obvious to one of ordinary skill in the art at the time of applicant's invention 
to incorporate the network dispatcher of ND into the intrusion detection 
system of Ricciulli in order to allow the system to protect a broader range of 
network equipment, thus increasing the types of routers that can be used and 
protected by the system, and to reach those customers that use network 
dispatchers. 

Final office action of June 27, 2006, pp. 10-1 1 . 

C.l. The Proposed Combination Does Not Teach or Suggest All of the Features of Claim 16 

The Examiner has failed to state a prima facie obviousness rejection because the proposed 
combination, when considered as a whole, does not teach or suggest all of the features of claim 16. 
Claim 16 depends from claim 5. As shown above, Ricciulli does not teach all of the features of 
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claim 5. Ricciulli is devoid of disclosure regarding determination of logical entry points of attack 
and is devoid of disclosure regarding use of correlation engines to determine logical entry points of 
attack. Therefore, Ricciulli does not suggest these claimed features. 

Hunt also does not teach the claimed features not shown in Ricciulli. Hunt is directed 
towards the design of a network dispatcher. Hunt is devoid of disclosure regarding determination 
of logical entry points of attack and is devoid of disclosure regarding use of correlation engines to 
determine logical entry points of attack. Therefore, Hunt also does not suggest these claimed 
features. 

Because both Ricciulli and Hunt do not teach or suggest the features of claim 16, the 
proposed combination when considered as a whole does not teach or suggest the features of claim 
16. Accordingly, under the standards of In re Lowry, the Examiner has failed to state a prima facie 
obviousness rejection. 

C.2. The Examiner Failed To State a Proper Reason to Achieve the Legal Conclusion of 
Obviousness in View of the References 

Additionally, the examiner failed to state a prima facie obviousness rejection against claim 
16 because the examiner failed to state a proper reason to achieve the legal conclusion of 
obviousness under the standards of KSR Int 7. Regarding a reason to combine the references, the 
examiner states that: 

in order to allow the system to protect a broader range of network 
equipment, thus increasing the types of routers that can be used and 
protected by the system, and to reach those customers that use network 
dispatchers. 

Office action of June 12, 2007, p. 13. 

However, the examiner's statement does not satisfy the requirements of KSR Int 'I. The 
Court in KSR Int 7. states that, "Often, it will be necessary for a court to look to interrelated 
teachings of multiple patents; the effects of demands known to the design community or present in 
the marketplace; and the background knowledge possessed by a person having ordinary skill in the 
art, all in order to determine whether there was an apparent reason to combine the known elements 
in the fashion claimed by the patent at issue" KSR Int 'I. Co. v. Teleflex, Inc., No. 04-1350 (U.S. 
Apr. 30, 2007). "Rejections on obviousness grounds cannot be sustained by mere conclusory 
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statements; instead, there must be some articulated reasoning with some rational underpinning to 
support the legal conclusion of obviousness. " Id. (citing In re Kahn, 441 F.3d 977, 988 (CA Fed. 
2006))." 

The examiner's statement provides no rational underpinning to support the legal 
conclusion of obviousness. The examiner only states a purported advantage to combine the 
references. However, the examiner does not provide any technical or other rational connection 
between the purported advantage and the legal conclusion of obviousness. Instead the examiner 
simply states the purported advantage and then assumes that the reader would recognize that the 
purported advantage would somehow compel the legal conclusion that claim 16 is obvious in view 
of the references. However, this assumption fails to comport with the requirements of KSR Int'l 
that the examiner provide articulated reasoning with a rational underpinning to achieve the legal 
conclusion of obviousness in view of the references. Accordingly, under the standards of KSR 
Int 1, the examiner failed to state a prima facie obviousness rejection against claim 16. 

C.3. No Rational Reason to Achieve the Legal Conclusion of Obviousness in View of 
Ricciulli and Hunt Exists Because They Address Different Problems 

No rational reason to achieve the legal conclusion of obviousness in view of the references, 
considered as a whole, exists because the references are directed towards solving different 
problems. It is necessary to consider the reality of the circumstances~in other words, common 
sense-in deciding in which fields a person of ordinary skill would reasonably be expected to look 
for a solution to the problem facing the inventor. In re Oetiker, 977 F.2d 1443 (Fed. Cir. 1992); In 
re Wood, 599 F.2d 1032, 1036, 202 U.S.P.Q. 171, 174 (CCPA 1979). In the case at hand, the cited 
references address distinct problems. Thus, no common sense reason exists to establish that one of 
ordinary skill would reasonably be expected to look for a solution to the problem facing the 
inventor. Accordingly, no teaching, suggestion, or motivation exists to combine the references and 
the Examiner has failed to state a prima facie obviousness rejection of claim 16. 

For example, Ricciulli is directed to solving the problem of detecting the router that is the 

physical entry point of a denial of service attack. For example, Ricciulli provides that: 

Potential loss of revenue caused by preempting reliable TCP 
communications is enormous, and therefore adequate mechanisms for 
dealing with SYN flooding are needed. Current SYN flooding defense 
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mechanisms seem to have greatly mitigated the problem by making it harder 
for an attacker to negatively affect service. The most popular approach uses 
a "brute force" technique. In this approach, the TCP "connection pending" 
data structure (implementing the connection request queue) is made 
sufficiently large that an average attacker, to be successful, would need to 
flood connection requests at a rate exceeding reasonable bandwidth 
capabilities. This solution, although sometimes very practical, requires large 
amounts of protected kernel memory and may slow down the server 
response time for looking up connections in the vast "connection pending" 
data structure. Other less popular techniques use one-way hash functions 
(with Internet "cookies") to verify the authenticity of connection requests 
and therefore eliminate unnecessary memory allocation. Some of these latter 
techniques can introduce changes in the TCP signaling behavior and are 
therefore less favored. Firewall approaches actively monitor the TCP 
signaling traffic to detect possible attacks and inject ad-hoc signaling 
messages in the network to mitigate the denial-of-service attack. These 
approaches are awkward because they introduce additional administrative 
complexity, may introduce significant delays for legitimate connection 
establishment, or may expose the system to different, though arguably less 
severe, kinds of vulnerabilities. 

No one mechanism seems to provide an optimal solution, and thus a careful 
protection approach is usually constructed by using a combination of 
techniques. What is needed is a solution that can complement or replace 
existing solutions. 

Ricciulli, col. 2, 11. 4-26. 

On the other hand, Hunt is directed to the problem of designing network dispatchers. For 

example, Hunt provides as follows: 

Network Dispatcher (ND) is a TCP connection router that supports load 
sharing across several TCP servers. Prototypes of Network Dispatcher were 
used to support several large scale high-load Web sites. Network Dispatcher 
provides a fast IP packet- forwarding kernel-extension to the TCP/IP stack. 
Load sharing is supported by a user-level manager process that monitors the 
load on the servers and controls the connection allocation algorithm in the 
kernel extension. This paper describes the design of Network Dispatcher, 
outlines Network Dispatcher's performance in the context of http traffic, and 
presents several of its features including high-availability, support for 
WANs, and client affinity. 

Hunt, Abstract (emphasis in original). 



Based on the plain disclosures of the references themselves, the references address 
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completely distinct problems that are unrelated to each other. The problem of detecting the router 
that is the physical entry point of a denial of service attack is completely distinct from the problem 
of designing network dispatchers. 

Because the references address completely distinct problems, one of ordinary skill would 
have no reason to combine or otherwise modify the references to achieve the invention of claim 16. 
Thus, no rational reason exists to achieve the legal conclusion of obviousness in view of the 
references, considered as a whole. Accordingly, the Examiner has failed to state a prima facie 
obviousness rejection against claim 16. 

C.4. The Examiner Used Impermissible Hindsight When Combining the References 

The Examiner failed to state a prima facie obviousness rejection because the Examiner used 
impermissible hindsight when fashioning the rejections. "It is impermissible within the framework 
of section 103 to pick and choose from any one reference only so much of it as will support a given 
position, to the exclusion of other parts necessary to the full appreciation of what such reference 
fairly suggests to one of ordinary skill in the art." In re Hedges, 228 U.S.P.Q. 685, 687 (Fed. Cir. 
1 986). Additionally, personal opinion cannot be substituted for what the prior art teaches because a 
prima facie case of obviousness is established when the teachings of the prior art itself suggest the 
claimed subject matter to a person of ordinary skill in the art. In re Bell, 991 F.2d 781, 783, 26 
U.S.P.Q.2d 1529, 1531 (Fed. Cir. 1993). In viewing the references as a whole, one of ordinary skill 
would look to the problems addressed by the references in determining whether to combine the 
references. 

As shown above, no rational reason exists to achieve the legal conclusion of obviousness of 
claim 16 in view of the references, under the standards of KSR Int 7. Also as shown above, the 
Examiner provided no reason why one of ordinary skill would recognize the proposed advantage. 
The Examiner has provided no reason why one of ordinary skill would, without a-priori knowledge, 
think to incorporate network dispatchers in the rest of the claimed invention. Instead, the Examiner 
only provided a hypothetical advantage to combining the references. 

Given the disparity between the references, the Examiner clearly searched the prior art for 
the term "network dispatcher," found a reference, and then tried to glue the references together to 
achieve the invention of claim 16 without regard to the fact that one of ordinary skill would have no 
reason to look to combine the references in the first place. The Examiner may not "pick and 
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choose" features in the prior art and then combine them together in this manner. In re Hedges. The 
Examiner's attempt to do so is impermissible hindsight under the standards of In re Hedges. 
Accordingly, the Examiner has failed to state a prima facie obviousness rejection against claim 16. 

D. CONCLUSION 

As shown above, Ricciulli does not anticipate the claims. Similarly, the Examiner has 
failed to state a prima facie obviousness rejection against the claims. Therefore, Applicants request 
that the Board of Patent Appeals and Interferences reverse the rejections. Additionally, Applicants 
request that the Board direct the Examiner to allow the claims. 



/Theodore D. Favm/ 
Theodore D. Fay m 
Reg. No. 48,504 
Yee & Associates, P.C. 
PO Box 802333 
Dallas, TX 75380 
(972) 385-8777 
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CLAIMS APPENDIX 



The text of the claims involved in the appeal is as follows: 

5. A computer-implemented method of identifying the entry point of an attack upon a device 
protected by an intrusion detection system, the method comprising the steps of: 

obtaining intrusion information, from an intrusion detection system, regarding an attack 
upon a device protected by the intrusion detection system; 

obtaining network information, from network equipment connected to the device, 
regarding the attack; 

determining a logical entry point of the attack using a correlation engine to correlate the 
intrusion information and the network information; and 

identifying a physical entry point associated with the logical entry point. 

6. The computer-implemented method of claim 5, wherein the intrusion information 
includes an address. 

7. The computer-implemented method of claim 6, wherein the address is a source address. 

8. The computer-implemented method of claim 6, wherein the address is a destination 
address. 

9. The computer-implemented method of claim 6, wherein the network information includes 
a logical port identifier of a logical port associated with the address. 
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10. The computer-implemented method of claim 9, wherein the step of determining a logical 
entry point includes the step of finding, in the network information, the logical port identifier of 
the logical port associated with the address. 

1 1 . The computer-implemented method of claim 9, wherein the step of identifying a physical 
entry point includes the step of identifying a physical port associated with the logical port. 

1 5 . The computer-implemented method of claim 5 , wherein the network equipment includes 
a firewall with routing function. 

1 6. The computer-implemented method of claim 5, wherein the network equipment includes 
a network dispatcher. 

17. The computer-implemented method of claim 5, wherein the network equipment includes 
a load balancer. 

1 8. The computer-implemented method of claim 5, wherein the intrusion detection system 
includes network based intrusion detection equipment. 

1 9. The computer-implemented method of claim 5, wherein the intrusion detection system 
includes host based intrusion detection equipment. 
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20. The computer-implemented method of claim 5, wherein the intrusion detection system 
includes application based intrusion detection equipment. 

21. A method of identifying the entry point of an attack upon a device protected by an 
intrusion detection system, said device one of a plurality of devices connected by a network, the 
method comprising the computer-implemented steps of: 

detecting an attack on the device; 

notifying a correlation engine of the attack on the device; 
obtaining intrusion information regarding the attack; 
obtaining network information regarding the attack; 

using the correlation engine, correlating the intrusion information and the network 
information to produce correlation information; 

using the correlation information, finding on the network a logical port of connection 
used by the attack; and 

mapping the logical port on the network to a physical port on the network using the 
correlation engine. 

22. The method of claim 21 comprising the further step of: alerting a network manager to the 
location of the logical port and of the physical port. 

23. The method of claim 21 wherein the step of mapping is performed using the correlation 
engine. 
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24. The method of claim 21 wherein: 

the intrusion information includes an address; and 

the network information includes a logical port identifier of a logical port associated with 
the address. 

25. An apparatus for detecting a point of an attack on a network, the apparatus comprising: 
network equipment for connecting a protected device to a network; 

an intrusion detection system comprising intrusion detection equipment; 
a correlation engine adapted to: 

receive a notification of an attack on the protected device; 

receive intrusion information regarding the attack; 

receive network information regarding the attack, wherein the network 
information pertains to the network; 

correlate the intrusion information and the network information to produce 
correlation information; 

use the correlation information to find on the network a logical port of connection 
used by the attack; and 

map the logical port on the network to a physical port on the network using the 
correlation engine. 

26. The apparatus of claim 25 further comprising: 

means for alerting a network manager to the location of the logical port and of the 
physical port. 
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27. The apparatus of claim 25 wherein: 

the intrusion information includes an address; and the network information includes a 
logical port identifier of a logical port associated with the address. 
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EVIDENCE APPENDIX 



There is no evidence to be presented. 
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RELATED PROCEEDINGS APPENDIX 



There are no related proceedings. 
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